A comprehensive tolerant algebraic side-channel attack over modern ciphers using constraint programming

Abstract

Tolerant algebraic side-channel attack (TASCA) exploits side-channel information with an algebraic formulation of a cipher to exploit its weaknesses and recover a secret key. Its inputs consist of a side-channel trace of an encryption and the clear and cipher texts. TASCA demonstrated that pseudo-Boolean optimization can successfully recover a key with reasonable computational efforts. Unlike Boolean Satisfiability (SAT), Constraint Programming (CP) is an optimization technology that favors high-level, rich and expressive models that is ideal to naturally model and solve cryptanalysis challenges. It offers direct encoding of bit-wise operations and avoids costly bit-blasting formulation required by SAT and pseudo-Boolean solvers. TASCA-CP is an embodiment of TASCA and is used to attack AES-128 as well as AES-256 to recover keys when noisy side-channel measurements are available. It achieves this task orders of magnitude faster than the original TASCA approach. TASCA-CP, with its performance, enables cryptanalysts to explore larger key-sizes and probe weaknesses of ciphers. The article demonstrates, with an attack on Keeloq, that a high-level modeling approach is essential to easily adapt to different ciphers. The empirical evaluation establishes the performance of the system when compared to the original TASCA implementation on modern IP solvers and identical hardware.

Appendices

Appendices

AES IP model

1.1 Auxiliary encoding

As we mentioned earlier, the IP model linearizes all the constraints. To achieve this, auxiliary encoding is needed to linearize several functions such as XOR, substitution box, and xtime.

1.1.1 XOR

A common operation in cryptographic ciphers is the Exclusive OR bit-wise operation. Exclusive OR (\(\oplus \)) is a nonlinear operation performed over a pair of bits \(x,y \in \{0,1\}\). The following set of inequalities are introduced to encode the XOR operation.

$$\begin{aligned}&x + y - 2\cdot x \cdot y - o \le 0\\&x + y - 2\cdot x \cdot y - o \ge 0 \end{aligned}$$

The product \(x \cdot y\) requires a linearized encoding, an additional variable \(z \in \{0,1\}\) is introduced to represent the product and an encoding is introduced to support Multiplication over Booleans.

$$\begin{aligned}&x - z \ge 0\\&y - z \ge 0\\&x + y - z - 1 \le 0 \end{aligned}$$

Clearly, \(z = 1\) forces both x and y to be 1. Conversely, when \(x = y = 1\), then \(z = 1\). However, if either x or y equals to zero, then \(z = 0\). Namely, if any of the Boolean variables are zero, then the product will also be zero. Multiplication over Booleans can be generalized over a set of Boolean variables with the following set of inequalities:

$$\begin{aligned}&\forall i \in 1, \ldots , n: b_{i} - z \ge 0 \end{aligned}$$

(4)

$$\begin{aligned}&\sum b_{i} - z - (n - 1) \le 0 \end{aligned}$$

(5)

1.1.2 Substitution box

In AES, the SubBytes operation relies on a substitution box. A substitution box is a permutation \(\pi : \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) that is defined by a look-up table S. Specifically, the permutation \(\pi \) maps a group of n bits to another group of n bits. This represents a state transformation from a state variable \(x_{i} \in \{0,1\}^{n}\) to \(x_{i+1} \in \{0,1\}^{n}\). Each state variable is represented as a string of literals each representing a single bit. An n-bit state variable is represented as a string of n literals. A byte-length state variable x is represented as \(x_{7}x_{6}x_{5}x_{4}x_{3}x_{2}x_{1}x_{0}\).

Given an input state variable x and an output state variable y, the desired constraint gives the relation \(y = \pi [x]\) which states that the value y must be the \(x^{th}\) entry in the look-up table \(\pi \). Suppose the first row in the table maps the bit-string 00000000 to the bit-string 10011100. When the bits in variable x are equal to 00000000, then the product \(\bar{x_{7}}\bar{x_{6}}\bar{x_{5}}\bar{x_{4}}\bar{x_{3}} \bar{x_{2}}\bar{x_{1}}\bar{x_{0}}\) evaluates to one forcing the bits of y to take on the value 10011100 implied by the product of literals \(y_{7}\bar{y_{6}}\bar{y_{5}}y_{4}y_{3}y_{2}\bar{y_{1}}\bar{y_{0}}\) to evaluate to one as well. To encode the look-up table, each record in the table is represented as follows:

$$\begin{aligned}&\bar{x_{7}}\bar{x_{6}}\bar{x_{5}}\bar{x_{4}}\bar{x_{3}}\bar{x_{2}}\bar{x_{1}}\bar{x_{0}} - y_{7}\bar{y_{6}}\bar{y_{5}}y_{4}y_{3}y_{2}\bar{y_{1}}\bar{y_{0}} \le 0 \\&\bar{x_{7}}\bar{x_{6}}\bar{x_{5}}\bar{x_{4}}\bar{x_{3}}\bar{x_{2}}\bar{x_{1}}\bar{x_{0}} - y_{7}\bar{y_{6}}\bar{y_{5}}y_{4}y_{3}y_{2}\bar{y_{1}}\bar{y_{0}} \ge 0 \end{aligned}$$

It is clear that when the product \(\bar{x_{7}}\bar{x_{6}}\bar{x_{5}}\bar{x_{4}}\bar{x_{3}}\bar{x_{2}}\bar{x_{1}}\bar{x_{0}} = 1\), it forces the product \(y_{7}\bar{y_{6}}\bar{y_{5}}y_{4}y_{3}y_{2}\bar{y_{1}}\bar{y_{0}} = 1\). Similarly, when \(\bar{x_{7}}\bar{x_{6}}\bar{x_{5}}\bar{x_{4}}\bar{x_{3}}\bar{x_{2}}\bar{x_{1}}\bar{x_{0}} = 0\), \(y_{7}\bar{y_{6}}\bar{y_{5}}y_{4}y_{3}y_{2}\bar{y_{1}}\bar{y_{0}} = 0\).

Each n-ary product is linearized with the encoding described in (4)–(5). Overall, the encoding requires \(2 \cdot (n + 1) \cdot 2^{8}\) inequalities for each look-up operation where n is the length of the bit-string.

1.1.3 xtime

xtime \(: \{0,1\}^8 \rightarrow \{0,1\}^8\) is a function transforming an 8-bit input sequence x into an 8-bit output sequence y, i.e., \(y =\)xtime(x) specified as:

$$\begin{aligned} y = \left\{ \begin{array}{ll} (x<< 1) &{}\Leftrightarrow x_7 = 0 \\ (x<< 1) \oplus \mathtt{0x1b} &{}\Leftrightarrow x_7 = 1 \\ \end{array}\right. \end{aligned}$$

that applies a left shift to the 8-bits and subsequent conditional bitwise XOR with value 0x1b if the most significant bit is 1. The operation is described in Sect. 3.2 of the FIPS specification of AES [23]. To linearize the xtime operation, the following bit-level encoding is applied

$$\begin{aligned} y_{i+1}= & {} x_i \oplus x_7\;\; \forall i\in \{0,2,3\} \\ y_{(i+1) \bmod 8}= & {} x_i\;\; \forall i\in \{1,4,5,6,7\} \end{aligned}$$

1.2 AES constraints

• AddRoundKey is a straightforward XOR operation. It takes in a state \(S_{sr,i,j}\) and a round key \(K_{r,i,j}\), then performs an XOR operation to translate \(S_{sr,i,j}\) to \(S_{sr+1,i,j}\). The linearization of the XOR operation is described above.

• SubBytes is a nonlinear byte-wise substitution. The mapping of the SubBytes permutation \(\pi :\{0,1\}^{8} \Rightarrow \{0,1\}^{8}\) is defined by a look-up table \(S_{r+1,i} = \pi [S_{r,i}]\), where the permutation \(\pi \) maps a group of 8 bits to another group of 8 bits. This operation transforms a state variable \(S_{sr,i,[0 \ldots 7]}\) to \(S_{sr+1,i,[0 \ldots 7]}\). The linearization of the SubBytes operation is described above.

• ShiftRows is a logical circular shift on the state variables. The ShiftRows operation does not leak any side-channel information because there are no changes in the values. Therefore, ShiftRows is combined with MixColumns. To combine them, the state variables are shifted based on the rules for ShiftRows and then passed to MixColumns.

• MixColumns is a more complex operation that applies to a column of the state matrix at a time. At a high-level, it can be represented directly with:

  

  It is clear how ShiftRows is folded in MixColumns. The 32-bit MixColumns operation is repeated 4 times, once for every column. For an 8-bit processor, the transformation has an efficient implementation using 8-bit words [27], which is used by the IP model. The following shows the four equations for one output column \([o_0,o_1,o_2,o_3]\) based on an input column \([a_0,a_1,a_2,a_3]\):

  

  The linearization relies on the XOR and xtime encoding which is described in the previous section.

• Key Expansion is an invertible key derivation function that maps a given cipher key to a series of round keys. The key expansion derives the next round key by applying a series of XOR operations to the current round key with round constants RC and a series of SubBytes substitutions. The following is an example of the derivation of the second round key:

  $$\begin{aligned}&K_{1,0} = SubBytes(K_{0,13}) \oplus K_{0,0} \oplus RC_{0}\\&K_{1,1} = SubBytes(K_{0,14}) \oplus K_{0,1} \\&K_{1,2} = SubBytes(K_{0,15}) \oplus K_{0,2} \\&K_{1,3} = SubBytes(K_{0,12}) \oplus K_{0,3}\\&\forall i\in \{0,\ldots ,11\}\; K_{1,i+4} = K_{1,i} \oplus K_{0,i+4} \end{aligned}$$

Search

1.1 Algorithm

AES-128 COP model